lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <006c01caaeb1$46eecce0$d4cc66a0$@moore@insomniasec.com>
Date: Tue, 16 Feb 2010 15:39:29 +1300
From: "Brett Moore" <brett.moore@...omniasec.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Insomnia : ISVA-100216.1 - Windows URL Handling
	Vulnerability

__________________________________________________________________

 Insomnia Security Vulnerability Advisory: ISVA-100216.1
___________________________________________________________________

 Name: Windows URL Handling Vulnerability 
 Released: 16 February 2010
  
 Vendor Link: 
    http://www.microsoft.com/
  
 Affected Products:
    Windows 2000, Windows XP, Windows 2003, Windows Vista
     
 Original Advisory: 
    http://www.insomniasec.com/advisories/ISVA-100216.1.htm
 
 Researcher: 
    Brett Moore, Insomnia Security
    http://www.insomniasec.com
___________________________________________________________________

_______________

 Description
_______________

A flaw exists with the handling of malformed URL's passed through
the ShellExeute() API. The vulnerability does not directly cause
an issue within Windows itself however, applications that call 
the flawed API may be vulnerable to various attacks, one of which 
is shown in this report.

_______________

 Details
_______________

The vulnerability is reached when the malformed URL contains #: 
and can be used to reference local files.

Two such examples are shown here;
    acrobat://test/#://../../c:/windows/system32/calc.exe
or
    anything://test/#://../../c:/windows/system32/calc.exe

The results will be different dependant on where the URL is used
and which OS platform is in use. 

Some examples are shown here;

Start->Run
    Calc.exe is executed without prompt

IE URL Bar or HREF
    User is prompted to execute calc.exe

Word Document
    User is prompted to open acrobat link
    
PDF Document    
    Calc.exe is executed without prompt

Firefox
    Firefox will not follow the URL    
    
Safari    
    Calc.exe is executed without prompt  
      
___________________

 Potential Exploit
___________________
      
Safari will not access the local file through the standard
file:// link, but will execute the local file through the malformed
link.

One method of executable delivery is through the onenote:// 
URL protocol if Microsoft OneNote is installed.

OneNote will automatically open and process a onenote file shared
over an SMB share. Any executables stored within the onenote file
will be cached locally. This is done by downloading the embedded
executables and storing them in a known location.

C:/Users/[USERNAME]/AppData/Local/Microsoft/OneNote/12.0/OneNoteOfflineCache
_Files/

This file can then be executed through the URL handling vulnerability
leading to an automatic code execution issue through Safari.

Obviously there are some requirements for this exploit;
+ the target user name must be known
+ Microsoft OneNote must be installed
+ SMB access out must be allowed
      
_______________

 Solution
_______________

Microsoft have released a security update to address this issue;
http://www.microsoft.com/technet/security/Bulletin/MS10-002.mspx
http://www.microsoft.com/technet/security/Bulletin/MS10-007.mspx

_______________

 Legals
_______________

The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.
___________________________________________________________________
 
Insomnia Security Vulnerability Advisory: ISVA-100216.1
___________________________________________________________________


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ